freeipa/ipaplatform
Florence Blanc-Renaud 3b007b7bba Always define the path DNSSEC_OPENSSL_CONF
The variable was None by default and set to /etc/ipa/dnssec/openssl.cnf
for fedora only because the code is specific to the support of pkcs11
engine for bind. As a consequence ipa-backup had a "None" value in the
list of files to backup and failed on Exception.

ipa-backup code is able to handle missing files, and the code using
the pkcs11 engine is called only when NAMED_OPENSSL_ENGINE is set
(only in fedora so far). It is safe to always define a value for
DNSSEC_OPENSSL_CONF even on os where it does not exist.

The fix also improves the method used to verify that a path exists.

Fixes: https://pagure.io/freeipa/issue/8597
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-11-30 15:52:19 +01:00
..
base Always define the path DNSSEC_OPENSSL_CONF 2020-11-30 15:52:19 +01:00
debian ipatests: Respect platform's openssl dir 2020-11-17 14:25:39 +02:00
fedora Always define the path DNSSEC_OPENSSL_CONF 2020-11-30 15:52:19 +01:00
fedora_container Add missing fedora_container platform members 2020-09-29 12:06:24 +02:00
redhat Configure systemd-resolved to use IPA's BIND 2020-09-23 16:44:26 +02:00
rhel Add User and Group to all ipaplatform.constants 2020-09-22 09:23:18 -04:00
rhel_container Add User and Group to all ipaplatform.constants 2020-09-22 09:23:18 -04:00
suse ipatests: Respect platform's openssl dir 2020-11-17 14:25:39 +02:00
__init__.py Make ipaplatform a regular top-level package 2020-05-05 11:47:16 +02:00
_importhook.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
constants.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
Makefile.am Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
osinfo.py Allow to override ipaplatform with env var 2020-07-30 11:38:25 +02:00
override.py.in Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
paths.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
README.md Don't configure authselect in containers 2020-08-06 14:20:54 +02:00
services.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Add ipaplatform for Fedora and RHEL container 2020-07-30 11:38:25 +02:00
tasks.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00

IPA platform abstraction

The ipaplatform package provides an abstraction layer for supported Linux distributions and flavors. The package contains constants, paths to commands and config files, services, and tasks.

  • base abstract base platform
  • debian Debian- and Ubuntu-like
  • redhat abstract base for Red Hat platforms
  • fedora Fedora
  • fedora_container freeipa-container on Fedora
  • rhel RHEL and CentOS
  • rhel_container freeipa-container on RHEL and CentOS
  • suse OpenSUSE and SLES
[base]
  ├─ debian
  ├─[redhat]
  │   ├─ fedora
  │   │   └─ fedora_container
  │   └─ rhel
  │       └─ rhel_container
  └─ suse

(Note: Debian and SUSE use some definitions from Red Hat namespace.)

freeipa-container platform

The fedora_container and rhel_container platforms are flavors of the fedora and rhel platforms. These platform definitions are specifically designed for freeipa-container. The FreeIPA server container implements a read-only container. Paths like /etc, /usr, and /var are mounted read-only and cannot be modified. The image uses symlinks to store all variable data like config files and LDAP database in /data.

  • Some commands don't write through dangling symlinks. The IPA platforms for containers prefix some paths with /data.
  • ipa-server-upgrade verifies that the platform does not change between versions. To allow upgrades of old containers, sysupgrade maps $distro_container to $distro platform.
  • The container images come with authselect pre-configured with sssd with-sudo option. The tasks modify_nsswitch_pam_stack and migrate_auth_configuration are no-ops. ipa-restore does not restore authselect settings. ipa-backup still stores authselect settings in backup data.
  • The --mkhomedir option is not supported.